VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to subtitle decoding. A company called "Check Point" appears to have reported them, but they did not release any details. [1]
At least the following 5 commits relate to these bugs: [2]
Presumably all currently supported Ubuntu releases are affected by at least one bug fixed by the patches.
By the way, there seem to be other security related commits in VLC that might need backporting, e.g. [3] [4]
[1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
[2]: https://github.com/videolan/vlc/search?q=checkpoint&type=Commits&utf8=%E2%9C%93
[3]: https://github.com/videolan/vlc/search?o=desc&p=1&q=overflow&s=committer-date&type=Commits&utf8=%E2%9C%93
[4]: https://github.com/videolan/vlc/search?o=desc&q=out+of+bound&s=committer-date&type=Commits&utf8=%E2%9C%93

This bug is meant to track the following public VLC CVEs and their status in Ubuntu. Here are the affected Ubuntu releases and the CVEs that affect that specific release:
- Xenial:
- 2016-5108
- 2017-10699
- 2017-8310
- 2017-8311
- 2017-8312
- 2017-8313

This bug is meant to track the following public VLC CVEs and their status in Ubuntu. Here are the affected Ubuntu releases and the CVEs that affect that specific release:
- Xenial:
- 2016-5108
- 2017-10699
- 2017-8310
- 2017-8311
- 2017-8312
- 2017-8313